Finding the right SaaS governance approach for your organization often feels like searching out an elusive balance. How can you empower and entrust business units and employees to purchase the tools they need, while still ensuring you don’t open up the organization to overspend and risk?
Enter a new approach to SaaS governance – a strategy we’re calling Freedom within a Framework.
- The rising importance of having a governance framework
- What “Freedom Within a Framework” is and how to implement it
- How OneAmerica strikes a balance in their organization
Watch the webinar on-demand here.
Why SaaS Governance is Important
The real challenge that SaaS applications present has largely to do with the changing nature of the physical work environment. The way we work has fundamentally changed as a result of the pandemic. People are not connected to a centralized corporate network behind firewalls with centrally controlled and managed tools. There’s often no oversight into what kind of software comes in and goes out. Because large IT organizations have lost that centralized point of control, managing SaaS governance has become a much greater challenge.
The best way to understand its importance is to examine what the absence of governance looks like. Without governance, you have nothing but chaos. Chaos leads to wasted resources – both in terms of time and money. That can lead to employee burnout and degradation of morale, because nobody knows what the rules are. It can also potentially lead to financial ruin.
One of the most obvious advantages to governance is financial. That is, are you making the best use of the number of seats and licenses you bought? The less obvious piece of that, and in some cases more significant, is the financial gain that comes from speed of execution. More importantly, the real benefit is the reduction of cyber risk that’s posed from shadow IT.
It’s All about a Predictable Process
Governance from the Freedom within a Framework approach leads to predictability, predictability leads to trust, and trust leads to increased speed of execution, regardless of the process.
When your processes become more predictable, you have less exceptions, anomalies, and dumpster fires. Every time you have one of these unforeseen events that becomes an incident.
In security nomenclature, every time there’s an incident, you have to spin up an incident response team. That takes time. That takes resources.
Let’s use the analogy of a fire department. Every time you call the fire department, that takes time and resources, and potentially involves some danger. It’s the same when you pull the alarm on a security incident. Often, the root cause is some kind of shadow IT, a vulnerable SaaS application being installed, or a lack of governance program.
Every time you call that incident response team, there’s a cost involved. It’s not just the cost of dollars, but perhaps more importantly, the cost of lost productivity.
Reframe Security as Trust
Some organizations like to think of security as trusting their employees. Let’s take Jim Goldman’s example of building a GRC organization at Salesforce.
“Governance was not some kind of onerous, top down, restrictive, eliminate your creativity and autonomy kind of thing. We had to get over that fear, uncertainty and doubt when we established the security GRC organization there. And really it was this Freedom within a Framework.”
They established a risk portfolio management function that examined and prioritized risks to the organization. A key piece of this was transparency. Part of creating trust was providing full disclosure into the governance process. “There are no secrets, no backroom deals, no favoritism. Here are the rules, and here’s what we’re doing.”
How to Implement Freedom within a Framework
How do you implement a realistic governance program? We’re all moving fast. We all rely on software and tech to run the businesses. And it’s more important than ever that you have SaaS governance in place. But there’s a lot of conflicting interests between IT and employee experience.
When we think of goals of SaaS governance, we focus on these four key areas.
- Reducing costs. It’s not just security, it’s part of the value of the business and the amount of investment that has to go into technology.
- Mitigating risk and risk reduction, very important.
- Consolidating redundancies. Particularly in SaaS, the number of vendors a company is using is typically in the hundreds, if not thousands. Look at cost issues as well as where employees are spending their time and resources.
- License optimization in provisioning. It’s about taking a software asset management approach to licensing and managing hundreds of vendors that all have different pricing and licensing options.
Centralized vs Decentralized Governance
When most organizations say governance, they start to describe a centralized environment where you’re trying to prevent software purchasing from happening from multiple points. It’s ensuring that every application or new technology that comes in gets vetted and goes through security evaluations. This is the absolute right thing to reduce risks and protect a company, but it’s in conflict with the speed at which businesses need to run. And it also sometimes holds back innovation on how software can be selected,
In contrast, a very fast-growing company may look to a more decentralized SaaS environment. Similarly, companies at the onset of the pandemic had to empower employees quickly with new technology. It was about getting software in the people’s hands quickly versus vetting and controlling the process along the way. The downside of that is they ended up with a lot of software and unused licenses. Now, there are risks surfacing – and sometimes ones they don’t even know exist, because there’s not visibility into it.
What is Freedom within a Framework?
At Zylo, we’ve learned that the right philosophy for most organizations is to implement a framework so you can get the best of both worlds. Empowered employees and a secure and compliant environment. We call it Freedom within a Framework
In a nutshell, it’s setting up some centralized processes and getting visibility to the right people, while enabling employees with good education and ways to buy software from within.
Certainly, there’s some complexity and things that have to be done in an organization and change management to make it happen. Organizations should follow these steps to gain alignment with the business and drive it through the leadership of IT.
- Identifying and monitoring SaaS inventory
- Establishing a process for review and optimization
- Empowering employees
Identify and Monitor Your SaaS Inventory
Typically, most organizations have a challenge identifying software in the organization. That’s because with so many buyers, it’s difficult to stay ahead.
SaaS discovery is key to making this possible. Then it’s all about continually monitoring the existing portfolio. And it’s not just new software. It’s looking at and reviewing the software that’s already there.
Start by analyzing all the data you have. Then look at things like what you’re paying for. What are employees expensing? What’s being paid through AP? Additionally, find out how employees are accessing software directly through Okta or through the applications themselves. It’s integrating a lot of systems to get one view. And, today, that’s possible to do.
Unfortunately, sometimes It takes a big event for organizations to realize their lack of visibility. Perhaps that’s an unexpected cost of an application, or an employee leaves and doesn’t have their access shut off. That’s usually when the audit happens. The problem is that if you’re not doing it ongoing in real-time, your information is always out of date.
Build a Process for Review and Optimization
Once you’ve found everything, categorized it, and have an ongoing SaaS system of record, you can start to make progress on intake.
One thing all organizations can do without any technology is establish a review board. It can be lightweight, but you want to include key stakeholders. Typically, that’s finance, IT, HR and legal. That’s a good operational team.
Then, look across the business at stakeholders that are going to be appropriate to manage the software and the budgets within the department. That’s where you can set expectations on the types of software, what guidelines should be in place for security, and so on.
At the end of the day, governance is about giving employees a great software experience. This is the really important step of enabling Freedom within a Framework.
You put controls in place for guidelines and reviews to happen. Your applications are all categorized. And you have data for how they’re being used in the organization. Now you can push those out to employees for access, and you can do this in a couple ways.
There are companies that build homegrown systems, or there are platforms that do it themselves. We certainly are in this business of helping drive this type of effort. Ultimately, it’s about setting up processes and doing that now, and then you can pick the right technology solutions to implement.
The new challenge for IT is that you’re now competing with consumer expectations. Employees have app stores on their phone to find and access software. The bar is: you have to make it as appealing as this mobile experience. And the ease of finding, requesting, and provisioning apps should be frictionless.
How to Measure Governance Effectiveness
If you can begin and follow this process, you will have:
- Complete ongoing visibility in your SaaS portfolio to drive governance and reduce risk
- A thoughtful software experience for employees using an app catalog
- Maximized your software utilization and adoption across the business
Evolving Your SaaS Governance Framework for the Digital WorkplaceLearn More
Freedom within a Framework in Action
During the webinar, we asked Jose Martinez how OneAmerica puts this concept into practice.
Early on, OneAmerica’s decisions and oversight were centralized.
“Many years ago, the team realized they didn’t have a good grasp on their overall SaaS spend. And their approval process was weak. Employees were just buying solutions on the fly. In addition, enterprise architecture and integrated solutions weren’t under serious consideration or priority.”
Over time, they shifted to a partnership approach, which helped IT become a trusted entity within the business.
About five or so years ago, “we made a conscious decision to centralize the approval process, implement software to gain visibility, and incorporate software review boards.”
It started by decentralizing certain components to help people move faster and increase efficiency. A few examples of this include:
- Evolving the partnership between IT and lines of business to create alignment and shift the culture and mindset of the business
- Shifting the funding models into the IT operational budget to gain clear visibility and holistic understanding of all SaaS spend
- Decentralizing budget accountability to empower the organization to be thoughtful about their investments, prioritize, and reduce waste
Use a Framework to Mature Your Governance Model
When it comes to SaaS governance, it’s extremely important to have a framework. But it can’t come at the expense of innovation and speed.
Identify the problem you’re trying to solve. Is it financial spend analysis or is there something deeper? Often, it’s something deeper than financial spend analysis – or what have you. It could be integrated, stronger partnerships at the enterprise level, better operational measurements, or organized budgets. Start with the problem at hand and spend time deep diving before you just jump into governance.
As Jose shared in the webinar, “If you just jump into governance for the sake of it, you can create a Frankenstein, which just devalues and takes away from what you’re trying to accomplish.”
To learn more about Freedom within a Framework and how to evolve your SaaS governance framework, download our ebook.
About Jim Goldman, CEO and co-founder of Trava
Jim built Trava to help organizations manage security and risk. He’s spent decades managing security and governance for cloud companies. Prior to founding Trava, he helped build the first GRC organization at Salesforce and worked in cyber crime for the FBI.
About Jose Martinez, SVP and CIO of OneAmerica
Jose heads up IT and cybersecurity at OneAmerica, a fast-growing holding company that helps organizations manage risk. He has more than 20 years of experience in highly-regulated industries.